b'              The Method of Tracking Corrective Actions for\n               Known Security Weaknesses Has Not Been\n                        Adequately Developed\n\n                                   January 2005\n\n                       Reference Number: 2005-20-027\n\n\n\n\nThis report has cleared the Treasury Inspector General for Tax Administration disclosure\nreview process and information determined to be restricted from public release has been\n                              redacted from this document.\n\x0c                                     DEPARTMENT OF THE TREASURY\n                                         WASHINGTON, D.C. 20220\n\n\n\n\nINSPECTOR GENERAL\n     for TAX\n  ADMINISTRATION\n\n\n\n\n                                          January 12, 2005\n\n\n      MEMORANDUM FOR CHIEF, MISSION ASSURANCE AND SECURITY SERVICES\n\n\n      FROM:             (for) Gordon C. Milbourn III\n                              Assistant Inspector General for Audit\n                              (Small Business and Corporate Programs)\n\n      SUBJECT:               Final Audit Report - The Method of Tracking Corrective Actions\n                             for Known Security Weaknesses Has Not Been Adequately\n                             Developed (Audit # 200420030)\n\n\n      This report presents the results of our review of the effectiveness of the Internal\n      Revenue Service\xe2\x80\x99s (IRS) process for monitoring security weaknesses. The purpose of\n      this review was to evaluate the Plans of Action and Milestones (POA&M) process\n      employed by the IRS and determine whether the POA&M process satisfies the Office of\n      Management and Budget (OMB) requirements and assists the agency in managing its\n      risk and vulnerabilities.\n      OMB regulations state Information Technology (IT) security is one of several critical\n      components agencies must meet to achieve a green or yellow status for the\n      E-Government Scorecard. To achieve either status for the IT security component of the\n      E-Government Scorecard, agencies must demonstrate consistent progress in reducing\n      IT security weaknesses through their POA&Ms, and the Inspectors General must verify\n      whether the process is effective.\n      In summary, the IRS has prepared POA&Ms to track both program-level and\n      system-level weaknesses. However, the process it uses to identify weaknesses and\n      report progress is flawed and ineffective. As a result, information provided to the\n      Department of the Treasury and the OMB has been inaccurate and misleading.\n      The program-level POA&M identified the number of security reports issued by the\n      Government Accountability Office and the Treasury Inspector General for Tax\n      Administration, but it did not identify the specific weaknesses reported. As a result, the\n      number of program-level weaknesses was significantly understated.\n      The system-level POA&Ms did not accurately and completely describe the security\n      weaknesses and milestones, understated the number of weaknesses, and overstated\n\x0c                                                          2\n\nprogress in addressing the weaknesses. The IRS prepared almost identical POA&Ms\nfor each system, noting only broad control topics rather than specific weaknesses.\nSpecific actions aimed at correcting the weaknesses were not detailed, and responsible\nindividuals were not identified. Essentially, the POA&Ms were so vague they could not\nbe used in managing and overseeing the security program.\nFor the most recent POA&M submission to the Department of the Treasury, dated\nSeptember 2004, the IRS reported 319 system-level weaknesses for its 80 major\nsystems. This number is understated because it represents only management control\nweaknesses such as lack of a certification and accreditation, security plan, or tested\ncontingency plan. Generally, operational and technical control weaknesses were not\nreported.\nProgress in addressing the weaknesses was overstated. The IRS assumed if a system\nhad been certified and accredited, then nearly all weaknesses noted on the system\xe2\x80\x99s\nPOA&M could be closed. This assumption is not valid since certified and accredited\nsystems can still have security weaknesses. We know of no testing that was done to\nidentify security weaknesses or to ensure weaknesses were corrected.\nTo ensure an effective system is in place to monitor security weaknesses, we\nrecommended the Chief, Mission Assurance and Security Services (MA&SS),\ncoordinate with the Chief Information Officer (CIO) and business unit owners to develop\nPOA&Ms that specifically identify all known security weaknesses. The POA&Ms should\ncontain details sufficient to allow oversight of the IRS security program. The Chief,\nMA&SS, should also accurately report the results of efforts to correct security\nweaknesses. Testing should be conducted to ensure the weaknesses have been\ncorrected before the POA&Ms are closed.\nManagement\xe2\x80\x99s Response: The Chief, MA&SS, agreed with our recommendations and\nhas initiated a number of corrective actions. The Chief, MA&SS, has established a\nFederal Information Security Management Act (FISMA)1 working group of executives\nand senior staff from the business units and from the Modernization and Information\nTechnology Services organization to develop and implement an approach to managing\nthe POA&M process. In coordination with the CIO and business unit owners, the Chief,\nMA&SS, will develop a matrix to allow the reconciliation and validation of corrective\nactions through the testing process. Management\xe2\x80\x99s complete response to the draft\nreport is included as Appendix IV.\n\nCopies of this report are also being sent to the IRS managers affected by the report\nrecommendations. Please contact me at (202) 622-6510 if you have questions or\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems\nPrograms), at (202) 622-8510.\n\n\n\n1\n    The FISMA is part of the E-Government Act of 2002, Pub. L. No. 107-347, Title III, Section 301, 2002.\n\x0c                       The Method of Tracking Corrective Actions for Known\n                     Security Weaknesses Has Not Been Adequately Developed\n\n\n\n\n                                                  Table of Contents\n\n\nBackground ............................................................................................... Page 1\nThe Current Method to Track Security Weaknesses\nIs Not Reliable or Effective ........................................................................ Page 2\n         Recommendation 1: .........................................................................Page 6\n         Recommendation 2: .........................................................................Page 7\n\nAppendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology....................... Page 8\nAppendix II \xe2\x80\x93 Major Contributors to This Report ....................................... Page 9\nAppendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 10\nAppendix IV \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report .................... Page 11\n\x0c               The Method of Tracking Corrective Actions for Known\n             Security Weaknesses Has Not Been Adequately Developed\n\n                              The Office of Management and Budget (OMB) requires all\nBackground\n                              Federal Government agencies to identify and track their\n                              progress in correcting computer security weaknesses.\n                              Specifically, the OMB requires each agency to develop\n                              Plans of Action and Milestones (POA&M) for identifying\n                              and managing weaknesses in its security programs and\n                              systems. Plans should be developed to correct the\n                              weaknesses, milestones should be provided for monitoring\n                              actions, and completion dates should be set.\n                              Each quarter, the Internal Revenue Service (IRS) must\n                              submit its current list of security weaknesses to the\n                              Department of the Treasury to demonstrate whether it is\n                              effectively managing its security program. The Department\n                              of the Treasury then combines these results with those from\n                              the other bureaus and provides the results to the OMB.\n                              The OMB directs Inspectors General (IG) to assess, using\n                              specific criteria,1 whether the agencies have developed,\n                              implemented, and managed an agency-wide POA&M\n                              process. IGs are required to report to the OMB annually on\n                              whether agencies have an effective process for monitoring\n                              security weaknesses.\n                              OMB regulations state Information Technology (IT)\n                              security is one of several critical components agencies must\n                              meet to achieve a green or yellow status for the\n                              E-Government Scorecard. To achieve either status for the\n                              IT security component of the E-Government Scorecard,\n                              agencies must demonstrate consistent progress in reducing\n                              IT security weaknesses through their POA&Ms.\n                              This review was performed in the Office of Mission\n                              Assurance and Security Services (MA&SS) at the IRS\n                              Headquarters in New Carrollton, Maryland, during April\n                              and May 2004. We delayed issuing this report so we could\n                              include modifications the IRS was making to the POA&M\n                              process for its Fiscal Year (FY) 2004 Federal Information\n                              Security Management Act (FISMA)2 report for the period\n                              ending August 31, 2004. The audit was conducted in\n\n\n                              1\n                                OMB Memorandum M-02-01, Guidance for Preparing and Submitting\n                              Security Plans of Actions and Milestones, dated October 17, 2001.\n                              2\n                                The FISMA is part of the E-Government Act of 2002,\n                              Pub. L. No. 107-347, Title III, Section 301, 2002.\n                                                                                        Page 1\n\x0c                 The Method of Tracking Corrective Actions for Known\n               Security Weaknesses Has Not Been Adequately Developed\n\n                                accordance with Government Auditing Standards. Detailed\n                                information on our audit objective, scope, and methodology\n                                is presented in Appendix I. Major contributors to the report\n                                are listed in Appendix II.\n                                The IRS has prepared POA&Ms to track both program-level\nThe Current Method to Track     and system-level weaknesses. However, the process it uses\nSecurity Weaknesses Is Not      to identify weaknesses and report progress is flawed and\nReliable or Effective           ineffective. As a result, information provided to the\n                                Department of the Treasury and the OMB has been\n                                inaccurate and misleading.\n                                Without an effective POA&M process, the IRS cannot\n                                identify and monitor security weaknesses to ensure the most\n                                significant weaknesses are timely addressed. In addition,\n                                the Department of the Treasury is developing a central\n                                database to track POA&Ms for all its bureaus. It envisions\n                                using this database to generate quarterly reports for the\n                                OMB. As the Department of the Treasury\xe2\x80\x99s largest bureau,\n                                the IRS must maintain an adequate POA&M process if the\n                                database is to be reliable. Also, without an effective\n                                POA&M process, the IRS will be unable to achieve either a\n                                green or yellow status on the E-Government Scorecard.\n                                In our opinion, the IRS has not provided sufficient emphasis\n                                and instilled the discipline necessary to ensure it has a\n                                system in place to monitor security weaknesses.\n                                Consequently, it has reported only general weaknesses for\n                                its systems and overstated the actions it has taken to\n                                improve the security program.\n                                The program-level POA&M cannot be used to monitor\n                                progress in addressing program-level weaknesses\n                                The program-level POA&M addresses weaknesses that may\n                                affect security IRS-wide. Generally, the Chief, MA&SS, is\n                                responsible for preparing the POA&M and resolving these\n                                weaknesses.\n                                For the quarter ending June 2004, the IRS reported nine\n                                computer security weaknesses on one program-level\n\n\n\n\n                                                                                      Page 2\n\x0c  The Method of Tracking Corrective Actions for Known\nSecurity Weaknesses Has Not Been Adequately Developed\n\n                 POA&M. The nine weaknesses coincided with the nine\n                 security issues of the computer security material weakness.3\n                 In August 2004, the IRS modified the program-level\n                 POA&M. It now includes 86 security weaknesses (1 plan\n                 for all 9 material weakness areas and 85 new computer\n                 security program-level weaknesses). The new weaknesses\n                 relate to the 85 Government Accountability Office (GAO)\n                 and Treasury Inspector General for Tax Administration\n                 (TIGTA) audit reports with open recommendations. These\n                 weaknesses had not been reported on prior submissions of\n                 the program-level POA&M.\n                 However, the program-level POA&M cannot yet be used as\n                 a tool to track and monitor the IRS\xe2\x80\x99 progress in addressing\n                 its security program weaknesses. We have the following\n                 concerns:\n                 \xe2\x80\xa2   The number of program-level weaknesses reported to\n                     the Department of the Treasury is significantly\n                     understated. The IRS considered each GAO and TIGTA\n                     audit report to be one weakness, listing only the title of\n                     the report as the weakness. Since GAO and TIGTA\n                     reports generally identify more than 1 weakness, the\n                     actual number is several times the 85 weaknesses\n                     reported by the IRS.\n                 \xe2\x80\xa2   The POA&M indicates the status of all milestones is\n                     ongoing and does not reflect interim corrective actions\n                     that may have already been taken. The completion date\n                     for all program-level weaknesses is September 2005,\n                     which does not coincide with the corrective actions\n                     provided to the TIGTA reports.\n\n\n\n\n                 3\n                   The IRS currently reports computer security as a material weakness.\n                 This material weakness is comprised of nine component security areas:\n                 1) network access controls, 2) system and application access controls,\n                 3) configuration management, 4) delineation of security roles and\n                 responsibilities, 5) segregation of system and security administration\n                 duties, 6) disaster recovery, 7) audit trails, 8) security training, and\n                 9) certification and accreditation.\n                                                                                  Page 3\n\x0c  The Method of Tracking Corrective Actions for Known\nSecurity Weaknesses Has Not Been Adequately Developed\n\n                 System-level POA&Ms cannot be used to monitor\n                 progress in identifying and correcting security\n                 weaknesses in the IRS\xe2\x80\x99 major systems\n                 System-level POA&Ms address weaknesses that are specific\n                 to individual systems. Generally, the owner of the system,\n                 either the business unit owner or the Chief Information\n                 Officer (CIO), is responsible for preparing system-level\n                 POA&Ms and resolving these weaknesses.\n                 The system-level POA&Ms the IRS prepared did not\n                 accurately and completely describe security weaknesses and\n                 milestones and understated the number of system-level\n                 weaknesses reported to the Department of the Treasury.\n                 The IRS stated the system security self-assessments it\n                 conducted in 2003 were the basis for identifying weaknesses\n                 included in the POA&Ms. In an earlier report,4 we took\n                 exception to the approach taken by the IRS in conducting\n                 the self-assessments because the assessments did not include\n                 testing security controls.\n                 In June 2004, the IRS provided the Department of the\n                 Treasury and the OMB with system-level POA&Ms for\n                 92 major systems. The POA&Ms showed almost all of the\n                 systems had identical weaknesses. These weaknesses\n                 coincided with the 17 control topics provided by the\n                 National Institute of Standards and Technology (NIST) in\n                 its Security Self-Assessment Guide for Information\n                 Technology Systems5 (5 management control weaknesses,\n                 9 operational control weaknesses, and 3 technical control\n                 weaknesses).\n                 The milestones for each system were also nearly identical,\n                 indicating certification and accreditation activities as the\n                 corrective actions. Milestones for each of the general\n                 support systems were identical.\n                 In August 2004, the IRS revised the system-level POA&Ms.\n                 There are now 80 system-level POA&Ms, 1 for each of the\n                 revised number of systems in the major systems inventory.\n                 However, the number of weaknesses is understated, and the\n                 information provided on the system-level POA&Ms is still\n\n                 4\n                   Performance Data for the Security Program Should Be Corrected\n                 (Reference Number 2004-20-093, dated April 2004).\n                 5\n                   SP 800-26, dated November 2001.\n                                                                             Page 4\n\x0c  The Method of Tracking Corrective Actions for Known\nSecurity Weaknesses Has Not Been Adequately Developed\n\n                 so general and vague that the IRS, TIGTA, GAO,\n                 Department of the Treasury, and OMB could not use them\n                 to monitor the progress of the IRS security program. For\n                 example:\n                 \xe2\x80\xa2   The weaknesses are still based on insufficient\n                     self-assessments because, as was true for FY 2003, the\n                     FY 2004 self-assessments did not include testing of\n                     security controls. We know of no testing that was done\n                     to identify specific security weaknesses.\n                 \xe2\x80\xa2   The weaknesses are still nearly identical for each system\n                     and are stated in terms of the NIST control areas rather\n                     than as specific security weaknesses.\n                 \xe2\x80\xa2   The milestones for all of the applications are identical:\n                     (1) assign accountable personnel, (2) perform gap\n                     analysis, (3) design and test process, and (4) implement\n                     solution.\n                 \xe2\x80\xa2   The IRS claims system-level POA&Ms must be vague\n                     to preclude an unauthorized or inadvertent disclosure of\n                     sensitive information. We disagree with this assertion.\n                     Oversight officials authorized to review POA&Ms must\n                     see the detailed weaknesses and milestones to be able to\n                     monitor progress on the corrective actions.\n                 \xe2\x80\xa2   The number of system-level weaknesses reported to the\n                     Department of the Treasury is understated. In\n                     September 2004, the IRS reported only 319 system-level\n                     weaknesses at the beginning of the quarter. This\n                     number is understated because it represents only 3 of the\n                     17 NIST security controls for each system such as the\n                     lack of certification and accreditation, or the lack of a\n                     security plan or tested contingency plan. Generally,\n                     operational and technical control weaknesses were not\n                     reported. Without reliable self-assessment results, as\n                     reported earlier, we cannot determine the actual number\n                     of weaknesses for each system; however, we estimate\n                     that it would be many times more than the number\n                     reported to the Department of the Treasury if all\n                     17 NIST control areas were included.\n                 \xe2\x80\xa2   The number of TIGTA-identified weaknesses is also\n                     understated in the system-level POA&Ms. The TIGTA\n                     report titles are listed as the weaknesses rather than\n                                                                        Page 5\n\x0c  The Method of Tracking Corrective Actions for Known\nSecurity Weaknesses Has Not Been Adequately Developed\n\n                     listing the specific management, operational, and\n                     technical control weaknesses described in the reports.\n                 \xe2\x80\xa2   The system-level POA&Ms do not include the names of\n                     individuals responsible for correcting the security\n                     weaknesses. Instead, only the responsible\n                     organizational units are named.\n                 Progress in addressing the weaknesses was overstated.\n                 Weaknesses were closed off the system-level POA&Ms\n                 when a system was certified and accredited. No testing was\n                 done to evaluate specific security weaknesses. Instead, the\n                 IRS assumed if a system had been certified and accredited,\n                 then all weaknesses noted on the system\xe2\x80\x99s POA&M could\n                 be closed. The only exception was that a weakness would\n                 remain open on the POA&M for any certified and\n                 accredited systems that did not have a tested contingency\n                 plan.\n                 The IRS apparently assumed certification and accreditation\n                 meant all weaknesses had been addressed. This assumption\n                 is not valid since certified and accredited systems can still\n                 have security weaknesses. We know of no testing that was\n                 conducted to ensure all specific security weaknesses were,\n                 in fact, corrected before the system-level POA&Ms were\n                 closed.\n\n                 Recommendations\n\n                 The Chief, MA&SS, should coordinate with the CIO and\n                 business unit owners to:\n                     1. Develop POA&Ms that specifically identify known\n                        security weaknesses, provide detailed corrective\n                        actions, and identify responsible officials. All\n                        known weaknesses should be included in either\n                        program-level or system-level POA&Ms, and the\n                        POA&Ms should contain details sufficient to allow\n                        oversight of the IRS security program.\n                     Management\xe2\x80\x99s Response: The Chief, MA&SS, has\n                     established a FISMA working group of executives and\n                     senior staff from the business units and the\n                     Modernization and Information Technology Services\n                     organization. The group will develop and implement an\n                                                                        Page 6\n\x0c  The Method of Tracking Corrective Actions for Known\nSecurity Weaknesses Has Not Been Adequately Developed\n\n                    enterprise approach to managing the IRS\xe2\x80\x99 POA&M\n                    process. This approach will ensure that POA&Ms\n                    include all known security weaknesses, provide detailed\n                    corrective actions, and identify responsible officials.\n                    2. Accurately report the results of efforts to correct\n                       security weaknesses for both program-level and\n                       system-level weaknesses. Testing should be\n                       conducted to ensure weaknesses have been corrected\n                       before the POA&Ms are closed.\n                    Management\xe2\x80\x99s Response: To ensure weaknesses are\n                    corrected before being reported as closed, the Chief,\n                    MA&SS, in coordination with the CIO and business unit\n                    owners, will develop a matrix to allow the reconciliation\n                    and validation of corrective actions through the testing\n                    process.\n\n\n\n\n                                                                      Page 7\n\x0c                   The Method of Tracking Corrective Actions for Known\n                 Security Weaknesses Has Not Been Adequately Developed\n\n                                                                                    Appendix I\n\n\n                      Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to assess the effectiveness of the Internal Revenue\nService\xe2\x80\x99s (IRS) process for monitoring security weaknesses. The purpose of the review was to\nevaluate the Plans of Action and Milestones (POA&M) process employed by the IRS and\ndetermine whether the POA&M process satisfies the Office of Management and Budget (OMB)\nrequirements and assists the agency in managing its risk and vulnerabilities. We also wanted to\nestablish the method used to track vulnerabilities identified by various oversight sources. To\naccomplish this objective, we:\nI.    Determined the method used by the Office of Mission Assurance and Security Services to\n      track known security vulnerabilities.\nII.   Determined whether the sources used to track these vulnerabilities included the following\n      information, as required by the OMB, in order to prepare a POA&M:\n      A.   Type of weakness.\n      B.   Office or organization responsible for resolving the weakness.\n      C.   Key milestones with completion dates.\n      D.   Source of the identified weakness (e.g., Treasury Inspector General for Tax\n           Administration, Government Accountability Office, internal functions).\n\n\n\n\n                                                                                         Page 8\n\x0c                  The Method of Tracking Corrective Actions for Known\n               Security Weaknesses Has Not Been Adequately Developed\n\n                                                                                Appendix II\n\n\n                           Major Contributors to This Report\n\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)\nStephen Mullins, Director\nGerald Horn, Audit Manager\nJoan Raniolo, Senior Auditor\nWilliam Simmons, Senior Auditor\nCharles Ekholm, Auditor\nGeorge Franklin, Auditor\n\n\n\n\n                                                                                         Page 9\n\x0c                  The Method of Tracking Corrective Actions for Known\n               Security Weaknesses Has Not Been Adequately Developed\n\n                                                                        Appendix III\n\n\n                                Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nDeputy Commissioner for Services and Enforcement SE\nChief Information Officer OS:CIO\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Management Controls OS:CFO:AR:M\nAudit Liaisons:\n       Chief Information Officer OS:CIO\n       Chief, Mission Assurance and Security Services OS:MA\n\n\n\n\n                                                                             Page 10\n\x0c   The Method of Tracking Corrective Actions for Known\nSecurity Weaknesses Has Not Been Adequately Developed\n\n                                                         Appendix IV\n\n\n        Management\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                              Page 11\n\x0c   The Method of Tracking Corrective Actions for Known\nSecurity Weaknesses Has Not Been Adequately Developed\n\n\n\n\n                                                         Page 12\n\x0c   The Method of Tracking Corrective Actions for Known\nSecurity Weaknesses Has Not Been Adequately Developed\n\n\n\n\n                                                         Page 13\n\x0c   The Method of Tracking Corrective Actions for Known\nSecurity Weaknesses Has Not Been Adequately Developed\n\n\n\n\n                                                         Page 14\n\x0c   The Method of Tracking Corrective Actions for Known\nSecurity Weaknesses Has Not Been Adequately Developed\n\n\n\n\n                                                         Page 15\n\x0c'